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INTRODUCTION 



To be able to verify liveness properties of a system [Alpcrn and Schneider 1985 1, it 



is almost always necessary to include a fairness hypothesis in the system description 



[Franccz 1986 1 . Indeed, introducing a fairness hypothesis makes it possible to ignore 



behaviors that correspond to extreme execution scenarios and that, in any case, 
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would not occur in any reasonable implementation. Even though this intuition 
is clear, making fairness precise is somewhat more complicated: should one be 
"weakly" or "strongly" fair, "transition" or "process" fair, or isn't "justice" or even 



"compassion" what fairness should really be [Manna and Pnueli 1992 1 ? Of course, 
there is a rational way of choosing which fairness notion is adequate for a given 
problem by considering the nature of the model being used and making reasonable 
assumptions about how it might be implemented, but it remains that this choice is 
crucial and delicate. 

Furthermore, introducing a fairness hypothesis often makes the verification pro- 
cess somewhat more problematic. This is especially true when abstraction is used. 
Indeed, since after moving to the abstract level one deals with a reduced set of 
observables, it can become impossible to express correctly the fairness hypothe- 
sis under which the system is correct. This makes one wish for a more general 
and abstract notion of truth under fairness that would contribute to simplifying 
verification, especially in the context of abstraction. Intuitively, the notion to be 
formalized is that of a property being true provided one is given "some control" 
over the choices made during infinite executions. In other words, one wants to 
characterize the properties that can be made true by "some fair implementation" 
of the system. 

In this paper, we show that the concept of a property being satisfied within 
fairness is a suitable abstraction of truth under fairness that lends itself easily 



to verification in the context of abstraction by using the techniques of [Nitschc 



and Ochscnschlager 1996; Nitsche and Wolper 1997; Ochscnschlager 1994; Ochscn 



schlager 1995]. The idea of satisfaction within fairness is to re- interpret the notion 
of relative liveness properties as a satisfaction relation. Relative liveness proper- 
ties are liveness properties within the universe of behaviors of the system. Their 
definition is a relativized version of the definition of liveness: every prefix of a 
behavior of the system can be extended to an infinite behavior that satisfies the 
property. This concept and the dual notion of relative safety property were intro- 



duced in [Hcnzinger 1992] as a means of clarifying the shift from liveness to safety 



when timing constraints are introd uced in a system. It can also be traced to the 



notion of machine-closed prope rty [ Abadi and Lamport 1988 ; Abadi and Lamport 
1990| ; |Alur and Hcnzinger 1991 



Here we make a different use of the concept. In fact, we interpret relative live- 
ness as a satisfaction relation for properties represented by temporal logic formu- 



las [Emerson 1990; Pnueli 1977]. Notice that for a property to be satisfied within 
fairness does correspond, in the desired abstract sense, to the property being sat- 
isfied under fairness. Indeed, in crude terms, the system almost satisfies properties 
that are satisfied within fairness: it just needs the "help of some fairness" (remem- 
ber that every prefix of a behavior of the system can be extended to an infinite 
behavior that satisfies the property). Furthermore, we show that for w-regular sys- 
tems and properties, deciding satisfaction within fairness is a PSPACE-complete 
problem. This and the fact that, in a reasonable sense, properties satisfied within 
fairness can be satisfied by some fair implementation are first indications of the 
usefulness of this concept for verification. 

This usefulness is even more apparent when considering abstraction. Indeed, sat- 
isfaction within fairness enables us to circumvent the fact that truth under fairness 
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is usually not preserved by abstraction mappings. Precisely, we consider abstrac- 
tions denned by language homomorphisms in the context of systems described by 
u-languages. We prove that whether a property is satisfied within fairness can be 
reliably checked on the abstract system, provided that the homomorphism is weakly 
continuation-closed. Weakly contiunation-closed homomorphisms were introduced 
in [Ochsenschlager 1992 (see also [Ochsenschlager 1994]) where they are called 
simple homomorphisms. For homomorphisms, being weakly continuation-closed 
essentially means that they are faithful with respect to the continuation of a word 
within a language, i.e. the image of the continuation is the continuation of the image 
of the word in the image of the language. We show that weakly continuation-closed 
homomorphisms preserve exactly properties satisfied within fairness. 



2. INTRODUCTORY EXAMPLES 

To motivate the definitions we present later on, we start with a small example 
of a concurrent reactive system. Consider the system described as a Petri net in 
Figure [j]. 




It is a server that, after having received a request, can send a result or a rejection 
to its client, depending on whether the resource it manages has been freeed or 
locked. The possible behaviors of the system are represented by the finite-state 
system shown in Figure || (the reachability graph of the Petri net). The initial 
state is shaded grey, a convention we will also use in subsequent state diagrams. 




Fig. 2. The behaviors of the small system 
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From Figure |2| it is easy to see that our system does not satisfy the prepositional 
linear time temporal logic [Emerson 199C; Pnucli 1977] property DO(result). In- 
deed, lock ■ (request ■ no ■ reject) 1 ^ is a computation of the system that does not 
satisfy 00(result). Nevertheless, it is clear that what is missing for the prop- 
erty DO(result) to be true is a fairness hypothesis on the system executions. The 
notion of a property being satisfied within fairness captures this: DO (result) is 
satisfied within fairness by the set of behaviors described by Figure [2] (see Defini- 
tion p3^/]4j]). 

Figure |3| gives a finite-state diagram describing the behaviors of a system similar 
to the one of Figure |l| but containing an error: in Figure ^, if the resource is locked, 
there is no possibility to free it again. There is also another difference, namely 
that in Figure || a request can also be rejected when the resource is available, but 
the motivation for this is linked to our subsequent discussion of abstraction. The 
point to notice now, is that no notion of fairness can make DO (result) true of the 
new system and that the notion satisfaction within fairness captures this again: 
DO (result) is not satisfied within fairness by the set of behaviors described in 
Figure ||. 




reject 

request'' 
lock | I lock 



result, 
reject 



Fig. 3. The behaviors of the small system with an error 



Let us now consider abstraction. Imagine we are only interested in the actions 
request, result, and reject. We thus consider an abstraction homomorphism that 
maps all other actions to the empty word. If we apply this homomorphism to 
the labeled transition system of Figure ^[ we obtain after reduction the transition 
diagram of Figure ^. The property DO (result) is satisfied within fairness by the 
behaviors described in Figure 0. 



result 




reject 



Fig. 4. An abstract version of the small system. 



Can we conclude from there that it is also satisfied within fairness by the behav- 
iors described by Figure ||? Not without caution since Figure ^ is also obtained by 
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abstracting from Figure ||. What distinguishes the two abstractions is the nature 
of the homomorphism. In the case of Figure || the homomorphism preserves prop- 
erties satisfied within fairness, whereas it does not do so in the case of Figure |j. In 
Section || we will elaborate on this and show that one can conclude that properties 
satisfied within fairness by the abstract system also hold on the concrete system, 
precisely when the homomorphism is weakly continuation-closed, 

3. PRELIMINARIES 



For defining our con c epts, we need several notion s from language theory [Berstel 
1979| ; |Eilenberg 1974| ; [Harrison 19781 ; |Thomas 199t| . Let L C E* be a language and 



let L w C E w be an w-language. 

Definition 3.1. The left quotient of L by a word w G E* is defined by cont(w, L) — 
{v G E* | wv G L}. The left quotient of by w G E* is similarly defined by 
cont{w, L u ) = {x G E w | vox G L^}. 

The left quotient describes the possible continuations of a word in a language. 
When considering system behaviors, it describes "what can happen after w has 
happened" . Therefore we denote the left quotient of L by w by cont(w, L), "the set 
of continuations of w in L", instead of the notation ui -1 (L) common in language 
theory. 

The notation pre(L) designates the set of prefixes of words in L. A language L 
is called prefix-closed if and only if L = pre(L). For an w-word x, pre(x) designates 
the set of all finite prefixes of x and, for an w-language L u , pre {L u ) designates 



the set of all finite prefixes of u-words in L w . The Eilenberg- limit [ Eilenberg 1974 | 
of a language L is the set lim(L) = {x G E" 3°°w G pre(x) : w G L}. Here, 
"3°°..." abbreviates: "there exist infinitely many different For a word w and 
an cj-word x, we denote their nth letter by w n and x n respectively. Finally, the 
notation £(„...), n G IN, represents the suffix x n x n +\x n +2 ... of an w-word x G E" 
starting with the n th letter of x. 

To describe properties, we use propositional linear-time temporal logic (PLTL) 



[Emerson 199C; Pnucli 1977 1 . PLTL-formulas are defined with respect to a set 
AP of atomic propositions. All atomic propositions and the proposition true are 
PLTL-formulas. If £ and Q are PLTL-formulas, then so are -.(£), (£) A (£), O(^) 
and (£)U (C). There exist additional operators that are abbreviations of particular 
operator combinations: 

(Ov(O^-(KO)aHC))), 

(O^(O^HO)v(C), 

(0 o (0 = ((C) =► (0) a ((C) =► (0), 

O(0 = (true) 

□ (C) = -(0(^(0)), 

(0B(0 = -(K0)w(0). 

PLTL-formulas are interpreted over infinite sequences of truth values for the 
atomic propositions, i.e. over functions of the type IN — > 2 AP or, equivalently over 
w- words defined on the alphabet 2 AP . For convenience, we will also interpret PLTL 
formulas over infinite words defined on an arbitrary alphabet E with the help of a 
labeling function A : E — > 2 AP . The semantics of a PLTL formula with respect to 
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an infinite word and a labeling function A : E — > 2 AP is then the following. 

(Read "|=" as "satisfies.") 

x, A |= true. 

If 77 is an atomic proposition, then x, A |= 77 if and only if 77 6 A(cci). 
If 77 = ~~>(£), then x, A |= 77 if and only if it is not the case that x, A |= £. 
If 77 = (£) A (£), then 2, A |= 77 if and only if x, A ^ £ and ir, A (= C- 
If 77 = <0(£), then x, A |= 7/ if and only if £(2...), A |= £. 
If 77 = (£) W (C), then x, A |= 77 if and only if there exists i £ IN such that 
^(i...)! A |= C and, for all j < i, A |= £. 

The meaning of the other operators can be derived from their definition. We will 
write L u , A (= 77 if and only if x, A |= 77, for all a; S 

Definition 3.2. A property 7-" over an alphabet £ is a subset of An o>- 

language L w C E w satisfies T 7 if and only if C V . For an alphabet £ and a 
labeling function A : £ — » 2" 4P , the property represented by a PLTL- formula 77 over 
is the set L,, = {x £ £" | a;, A f= 77}. 

4. RELATIVE LIVENESS AND SAFETY 

In this section, we review the definition of relative liveness properties of an u>- 
language, as well as their counterpart relative safety properties. Based on the 
notion of a relative liveness property, we will define the satisfaction of properties 
within fairness. Let L u C E w be an w-language representing the behavior of a 
system and let V C E" be a property. 

Definition 4.1. A property V is a relative liveness property of L w (we write this 
already as a satisfaction relation: LJ^^V) if and only if Vw G pre(L w ) : 3x G 
cont(w, Lj) : wx G P. 

Definition 4.2. A property P is a relative safety property of L w if and only if 
V.t G if a; ^ V, then 3tx> G pre{x) : Vz G cont(w, LJ) : wz G" "P. 

Remark 4.3. If L w = £ w , then the definitions of relative liveness and relative 



safety become exactly the definitions of liveness and safety given in [ Alpern and 



Schneider 1985|| 



To prove the decidability of relative liveness and safety for regular w-languages, 
we use the following characterizations of these properties. 

Lemma 4.4. V is a relative liveness property of if and only if 

pre{L u ) = pre(L u n V). 

Proof. By definition, LJ^^V if and only if, for all w G pre(L u ), there exists 
x G conb(w, L u ) such that 7772; G V . Hence we have w G pre(L u n V), for all 
w G pre(L u ). This is equivalent to pre(L^) C preiL^ n V). On the other hand, 
pre(L w flP) C pre(Lu), and thus pre(L^) = pre(L^ n V). 

lipre(L u ) — pre(L u FTP), then w G pre(L u nV), for all w G pre(L u ). Therefore, 
for all w G pre^Lu), there exists an x G cont{w, LJ) such that wx G 7-* and hence 
V is a relative liveness property of L u . □ 
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Lemma 4.5. V is a relative safety property of L u if and only if 

L u n Um(pre{L u n V)) C V. 
Proof. By definition, V is a relative safety property of L w if and only if 

Vi £ L u : ( i ^ P ^ ( 3w S pre(x) : Vz e cont(w, L u ) : wz P ) ). 
By taking the counterpositive of the implication this is equivalent to 

Vi e L u : ( ( Vm; € pre(x) : 3z € cont{w, L u ) : wz G "P ) => x G P ). 

The part ( Vw G pre(x) : 3z G cont(w, L w ) : wz G ) is equivalent to the 
condition pre(x) G pre(L w (1 P). Thus, P is a relative safety property of L w if and 
only if Va; G L u : ( ( pre(x) C preiLu n?))=>i£P). All w-words a; in L w such 
that pre(x) C pre(L u n "P) can be represented by the set L w n lim(pre(L u n P)). 
Thus, P is a relative safety property of L w if and only if L w n lim(pre(L u n T 7 )) C 
P. □ 



Theorem 4.6. Given an uj-regular language L u and an tv-regular property V 
given by nondeterministic Biichi automata or PLTL formulas, determining if V 
is a relative liveness or safety property is decidable and is a PS PACE- complete 
problem. 



Proof. The characterizations given by Le mma 4.4 and Lemma |4.5| reduce the 



prob lem to questions decidable in PSPACE [ Thomas 199C ; Garey and Johnson 
1979(| (notice that for PLTL formulas one can build in PSPACE an automaton 



for the formula and for its complement [Vardi and Wolper 1994]). Hardness can 



be established by a reduction from regular language inclusion [Garey and Johnson 



1979]. □ 



Note that Lemma 4.4 provides the link between relative liveness and machine 



closure. Indeed, recall the following definition [Abadi and Lamport 1988; Abadi 
and Lamport 1990| ; |Alur and Hcnzinger 199^ . 



Definition 4.7. Let ACL U CE", for an alphabet E. (L u , A) is called a machine 
closed live structure if and only if pre (L^) C pre (A). 

We thus have that P C is a relative liveness property of L w if and only if 
(L U ,P n LJ) is a machine closed live structure (see Lemma 14). 

General properties can always be represented as the intersection of a liveness 
and a safety property [Alpern and Schneider 1985]. As given precisely below, the 
relativized version of this result is that a property holds for an cj-language if it is 
both a relative liveness and a relative safety property of the language. 

Theorem 4.8. An uj-language L w satisfies a property V (L u QV) if and only 
if V is a relative safety and a relative liveness property of L w . 

Proof. If L u C V, then, trivially, V is a relative safety and a relative liveness 
property of . 

If V is a relative safety property of L u , then n lim(pre(L UJ n Vj) C V 
(Lemma 4.5). If, additionally, V is a relative liveness property of L w , then, by 
Lemma 4.4, pre(L w ) = pre{L w n V). Therefore, we can replace pre{L u n V) 
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by pre(Lu) in the safety condition and obtain L w n lim(pre(L u )) C P. Because 
n lim(pre(L UJ )) = L u , we finally obtain L u C P. □ 



As shown in Hcnzinger 1992], relative liveness and safety properties also have 



an elegant definition within the Cantor topology, i.e. the topological space over T, u 



[ Kelley 1955 1 



compatible w ith the following metric | Eilenberg 1974 1 . (For topological notions see 



Definition 4.9. Let common(x,y) designate the longest common prefix of two 
ui- words x and y in H w . We define the metric d(x,y) by 

Vx,y G E u ,s ^ y : d(x,y) 



common(x , y)\ + 1 

Vi G S w : d(x, x) = 0. 

Lemma 4.10. A property V is a relative liveness property of an ui-language L u 
if and only if L u n P is a dense set in L w . 

PROOF. Let L u \= l V, and let x G L u . Then pre(L u ) = pre{L u n P). Thus, 
pre(x) C pre(L w PI P), and we have Vw G pre(x) : 3y E DV : w G pre(y). We 
get, for all x S L u and all e > (e is related to r^rpj ), that there is a y e L u fl P 
such that d(x, y) < e. So L u n P is a dense set in L w . 

Let L w n P be a dense set in L w . Then, for all x € La, an( i all e > 0, there 
exists y G L w n P such that d{x,y) < e. Let a; be in L u , let u> be in pre(x) and 
let e = | u? j L +1 . Because fl P is a dense set in L w , there exists y £ L w n P such 
that u> £ pre(y). Thus pre(L w ) C pre{L u n P). Because pre(L u HP) C pre(L w ), 



we have pre{L u ) = pre(L u n P). By Lemma 4.4 , P is a relative liveness property 
of Z^,. □ 

Lemma 4.11. j4 property P is a relative safety property of an u-language L w i/ 
and onfo/ i/L^ C\V is a closed set in L u . 

Proof. P is a relative safety property of L w if and only if 

Vi £ L u : ( i ^ P 4 ( 3w G pre(x) : Vz G cont(w, L u ) : wz ^ P ) ). 

If P is the complement of P with respect to L u , i.e. P = L w n (S w \ P), which 
is equivalent to P = L w \ (L w (~l P), then P is a relative safety property of L u if 
and only if Vx G : (x G P => (3u> G pre(x) : Vz G cont(w, LJ) : wz G P)). If we 
define this condition topologically, then P is a relative safety property of L w if and 
only if Vx G P : 3e > : Vy G L u : d(x, y) < e y G P. Thus, P is a relative safety 
property of if and only if P is an open set in L u . Because P = L w \ (La, H P) is 
the complement of n P with respect to L w , we finally obtain that P is a relative 
safety property of L w if and only if L w n P is a closed set in L u . □ 

Relative safety having been introduced to complete the picture around relative 
liveness, we will now use relative liveness as a satisfaction relation, calling it satis- 
faction within fairness. 

Definition 4.12. We say that L w satisfies P within fairness if and only if L u \= l P. 
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We have chosen the phrase "within fairness" to stress the fact that for a property 
satisfied "within fairness" to be fully satisfied, the only missing element is a form 
of fairness condition on the set of behaviors being considered. Note that since a 
safety property never requires a fairness condition, a safety property satisfied within 
fairness by a set of behaviors is also fully satisfied by that set of behaviors. To prove 



this, recall the definition of a safety property ([Alpern and Schneider 1985 1, adapted 
to our notation): 

Definition 4.13. Property V C X" is called a safety property if and only if, for 
all x 6 S w , x^=V implies 3w € pre(x) : Vy G S w : wy \J= V. 

We then have the following. 

Lemma 4.14. If V is a safety property, then L U \= L V if and only if L u \= V '. 

Proof. Let L u \= V, i.e. pre(L w ) = pre(L u n V). Assume L u ¥= V. Let ieL u 
such that x Y= "P. Because V is a safety property, there exists w £ pre(x) such that 
\fy G S w : wy y= V. So w is not a prefix of an w-word in V and thus it is not in 
pre(Lu, Pi V). Since w is in pre(L u ) we have that pre(LS) ^ preiL^ n V) which 
contradicts L^^V. So L u \= V must hold. 

If \= V, then L^\= V follows immediately. □ 



5. IMPLEMENTING SYSTEMS THAT SATISFY PROPERTIES WITHIN FAIRNESS 

If a property is satisfied by a set of behaviors within fairness, our expectation is 
that a fair implementation of this set of behaviors will satisfy the property in the 
classical sense. Unfortunately, this is not true for every implementation, even if one 
assumes strong fairness. As an example, consider the set of behaviors {a, 6}". It 
is not sufficient to impose strong fairness on the minimal automaton representing 
{a, b}^ in order to satisfy all properties that are satisfied within fairness by {a, 6}". 
For instance, 0(a A (Oo)) would not be satisfied, even though it is satisfied within 
fairness by {a, b} u . The reason for this is that, even if fairness is used, more state 
information needs to be kept in order to be able to satisfy the property 0(oA(Oa)). 
However, it is always possible to add sufficient state information to a system in order 
to turn properties that are satisfied within fairness into properties that are satisfied 
in the classical sense under fairness. The following theorem makes this precise. 

Theorem 5.1. Let be a limit closed finite-state set of behaviors (one accepted 
by a finite state automaton without acceptance conditions, i.e. by a finite- state la- 
beled transition system) and let V be an u> -regular property. Then, ifV is satisfied 
within fairness by L u , there exists a finite-state labeled transition system A such 
that the u-language accepted by A is L u and all strongly fair computations in A 
satisfy V . 



Proof. Since V is satisfied by L u within fairness, by Lemma 4.4 we have that 
pre(L u ) — pre(L u (~l V). Furthermore, since L u is limit closed we have that L u = 
lim{pre{L L f)) and hence 

L u =lim(pre(L u r\T)). (1) 

Consider thus a reduced Biichi automaton A accepting L u fl V (by reduced we 
mean that states from which no w-word can be accepted have been eliminated). 
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The finite-state labeled transition system A we are trying to construct is A with its 
acceptance condition removed. Indeed, by equation (Q) A accepts L u . Furthermore, 
all strongly fair infinite computations of A will go infinitely often through a former 
accepting state of A and thus will satisfy V . □ 

The theorem we have just proved gives an interesting insight into properties satis- 
fied within fairness. They are the properties that fairness makes true of the system, 
but possibly at the cost of adding state information to the system implementation 
in a noninterfering way, i.e. without altering the set of limit-closed behaviors of the 
system. 

6. BEHAVIOR ABSTRACTIONS 

We now turn to the problem of verifying a system using abstraction. We con- 
sider finite-state labeled transition systems (i.e. without acceptance conditions). 
Hence the finite- word languages accepted by the systems we consider are the prefix- 
closed regular languages, and the w-languages they accept are the Eilenberg-limits 
of prefix-closed regular languages. 

We consider abstractions that hide or rename the actions of our systems. Pre- 
cisely, we consider abstraction homomorphisms that are extensions of alphabetic 
language homomorphisms to mappings on finite and infinite words as defined be- 
low. 

Definition 6.1. Let h : £ — > (E'U{e}) be a total function (e designates the empty 
word) and let E°° = S* US". Then, the abstraction homomorphism generated by h 
is the extension of h to a mapping h : E°° — > E'°° defined as follows. For all words 
w = W1W2W3 . . . w n £ £*, n £ IN, we define h(w) = h(w\)h{w2)h(w^) . . . h{w n ) . 
For all w-words x = X1X2X3 ■ ■ ■ £ S w , we define h(x) = h(xi)h{x2)h(x3) . . ., if 
lim(h(pre(x))) ^ 0. Otherwise, if lim(h(pre(x))) = 0, then h(x) is undefined. 

This leads naturally to the following definition of the abstract behavior of a 
system under an abstraction homomorphism. 

Definition 6.2. Let S be a system whose behaviors are the limit lim(L) of a 
prefix-closed regular language L. Then, the abstract behavior of S with respect to 
the abstraction homomorphism h is lim(h(L)). 

Our goal is to prove properties of the behaviors lim(L) of a system S by only 
considering the abstract behaviors lim(h(L)) for some abstraction homomorphisms 
h. More specifically, we are interested in the preservation of properties satisfied 
within fairness under the abstraction homomorphism. 

Essential information about the properties that are satisfied within fairness by 
lim(L) is contained in the sets cont(w,L), for w £ L. At the abstract level, we 
obviously have access to cont(h(w), h(L)), but we really need h(cont(w, L)) in order 
to ensure that properties satisfied within fairness by the abstraction will also be sat- 
isfied within fairness by the concrete system in a corresponding way. Thus, we need 
to investigate the relation between the sets h(cont(w, L)) and cont(h(w), h(L)) and 
find conditions under which cont(h(w), h(L)) can be used instead of h(cont(w, L)). 

In general, h(cont(w, L)) is a proper subset of cont(h(w), h(L)). In order to ob- 
tain sufficient information about h(cont(w, L)) from cont(h(w) , h(L)) , one would 
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be tempted to require equality of the two sets. Those homomorphisms are contin- 
uation closed, since computing the continuation or the abstraction first, both have 
the same result. However, this is stronger than needed. Indeed, since we are dealing 
with satisfaction within fairness, we will show that it is sufficient that the behaviors 
in cont(h(w) , h(L)) "eventually" become behaviors in h(cont(w, L)). This condi- 
tion is the one called simplicity of an abstraction homomorphism in JOchscnschlagcr 



1994]. We will use a name that is more intuitive with respect to their definition 
and call them weakly contiunation- closed homomorphisms. Their exact definition 
is the following. 

Definition 6.3. An abstraction homomorphism h : E°° — > E'°° is weakly continuation- 
closed for a language L C E* and a word w G L if and only if there exists 
u G cont(h(w),h(L)) such that cont(u,cont{h{w),h(L))) = cont(u,h(cont(w, L))). 
The homomorphism h is weakly continuation-closed for L if and only if it is for all 
words w £ L. 



Theorem 8.4 will show that this definition indeed meets all the requirements we 



have informally described above. More details about weakly continuation-closed 



homomorphisms can be found in | Ochsenschlager 1994 1 



7. PRESERVATION OF LINEAR PROPERTIES 

Before turning to the preservation of properties satisfied within fairness by weakly 
continuation-closed homomorphisms, we need some general results about abstrac- 
tion homomorphisms and properties. The problem we address is that the properties 
true of the abstracted system and of the concrete system can rarely be identical. 
Indeed, one needs to take into account the fact that the abstraction can rename 
or hide symbols. Our goal here is to define a transformation on properties that 
mirrors this. 

We consider properties defined by PLTL formulas (see Section ||). In order to 
make the definition of property transformations easier and to make the interpre- 
tation of formulas over words more direct (remember that we are dealing with 
systems represented by sets of infinite words), we define some normal forms for 
PLTL formulas. 

A first restriction is to consider only positive normal form formulas. 

Definition 7.1. A PLTL- formula rj is in positive normal form if and only if the 
scope of all negations is a single atomic proposition. 

Now we turn to the problem of interpreting formulas over words. Our generic 
way of doing this (see Section ^ is to use a mapping A : £ — » 2 AP from the 
alphabet £ of the word to the subsets of the atomic propositions AP of the formula. 
However, in this context, it is quite natural to consider the elements of £ directly 
as atomic propositions, which implies that one is using a mapping As such that 
Va e E : As (a) = {a}. We define a normal form that corresponds to this. 

Definition 7.2. Let £ be an alphabet. We say that a PLTL formula rj is in £- 
normal form if and only if n is in positive normal form and all its atomic propositions 
are in E (i.e. AP C £). 

For an alphabet E, the canonical T,-labeling function As : E — > 2 s is the one such 
that Va G £ : As (a) = {a}. 
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Note that using E-normal form formulas is not really restrictive. Indeed, for any 
PLTL-formulas r\ over a set AP of atomic proposition and any labeling function 
A : E — > 2' 4P , there exists a PLTL-formula 77' in E-normal form such that, for all 
x S E w , x, A |= 77 if and only if x, As |= J/"'- 

We now turn to the interaction between properties and abstraction homomor- 
phisms. Consider an abstraction homomorphism h : E°° — > E'°° and assume we 
have established a (E'-normal form) property 77 of the abstract version L' u C E /aj 
of a system obtained under this homomorphism. Of what system can we say that 
the property is true on the concrete level? One would expect However, 
this is a language on E on which we cannot directly interpret 77. One could modify 
77 to take this into account, but it is simpler to modify the labeling function. 

Definition 7.3. For alphabets E and E', and for an abstraction homomorphism 
h : E°° — » E'°°, the canonical /isxy -labeling function A/j , : E — > 2 s u ^ e ^ is the one 
such that such that Va S E : Xh ss , (a) = {M a )}- 

Notice that this labeling function maps some letters to the proposition s which 
stands for the empty word. So, we can't expect a formula 77 true of the abstract 
system L' w to be true of even using the mapping Xh ss , . Indeed, this 

mapping takes care of the fact that letters are renamed, but does not take care of 
the fact that e is the empty word. What is needed is to ignore the empty word in 
the evaluation of the formula. This is handled by transforming the formula 77 from 
E'-normal form to E' U e-normal form as follows. 

Definition 7.4. Let 77 be a PLTL-formula in E'-normal form. We define recur- 
sively a mapping T{rf) that yields a formula in E' U e-normal form (see Figure ||; b 
designates binary boolean operators: b S {A, V, <^}). 



T(v) = { 



true, 


if 77 = 


true, 


-•(true), 


if 7/ = 


-■(true), 


a, 


if 77 = 


a e £', 


Ha)) A He)), 


if 77 = 


-i(a) and a G S 


(T(O)b(T(C)), 


if 77 = 


(OMC), 


((e) V (T(0)) U (T(0), 


if 7/ = 


(0"(0. 


(T(0) B (T(()), 


if r/ = 


(06(C), 


o(r(Q). 


if r/ = 


o(0, 


□((e) V (T(O)), 


if 7; = 


□(0, 


(e)W(He)) A (O(( £ )W(T(0)))), 


if 7/ = 


0(0- 



Fig. 5. The syntactical transformation of PLTL. 
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As defined, the mapping T does not modify pure Boolean formulas (not including 
any temporal operator). However, a pure Boolean formula 77 should be mapped to 
(e)U (N(rj)) where N replaces all subformulas ^(a) of a PLTL-formula such that a 
is an atomic proposition by (^(a)) A (-i(e)). We thus extend T into a mapping R 
such that R{r]) is T(-q) with all maximal pure Boolean subformulas replaced by 
(e)U(N(£ b )). 

We can now give a statement relating a property true on an abstraction of a 



system to a property true at the concrete level [Nitsche 1994; Nitsche 1998b] 

Lemma 7.5. Let C £ /w , tet rj be a PLTL-formula in £' -normal form, and let 
h : E°° — > oe an abstraction homomorphism. Then 



The proof of Lemma 7.5 consist of two lemmas handling boolean formulas and 
purely temporal formulas respectively. 

Lemma 7.6. Let h : E°° — > oe an abstraction homomorphism. Let x' E 
oe an abstract computation and let x G h (x 1 ). Le£ rj be a boolean formula in 
£' -normal form. Then 

2', A S / |= 77 £/ and on/y i/ z, A/ lss , |= {e)U (N(r/)). 

Proof. Let i G IN such that = x[ and, for all j < i, h(xj) — e. We have, 

for all atomic propositions a G that x' , As' ^= a if and only if A/j^, |= a, 

and thus x', As' |= -i(a) if and only if Xu,\,\h EE/ |= Because ^ e, we 

have x', As< |= -'(a) if and only if £(,...), A/i ss , |= (^(a)) A According to the 

semantics of boolean connectives we obtain x' , Asy |= 77 if and only if av, ) , A/i EE , ^ 
A"(r/)- 

Forallj < i,h(xj) = e, which means that x <j,.\, A ^= -A^(^) andx(j ), A; 1es , |= 
e. Thus x', A s - |= n if and only if x, X hss , \= {s)U{N{rj)). □ 

Lemma 7.7. Let h : E°° — > oe an abstraction homomorphism. Let x' E 
oe an abstract computation and let x E /z (#'). Lei n oe a PLTL-formula in 
£' -normal form such that all atomic propositions are in the scope of a temporal 
operator (we call these formulas purely temporal,). Then 

x', Ajy |= 77 if and only if x, \ h |= T(rj). 



Remark 7.8. Lemma 7.7 is not surprising, because T(n) takes care of subwords 
of aj-words in h (x') that h takes to e, not changing the general structure of r\. 
However, because many cases need to be distinguished, the proof of Lemma 7.7 is 
quite lengthy. 

Proof. The proof is by induction on the structure of 77. If 77 contains exactly one 
temporal operator that quantifies over all atomic propositions in 77 (the induction's 
basis), then all proper subformulas £ of 77 are boolean formulas and hence T(£) = 
N(0- 



By Lemma 7.6 and since T(£) = -/V(£), for all proper subformulas £ of 77 and all 
x G h^ 1 (x') we have x',As' (= £ if and only if x, Ah EE , |= (e)U (T(£)). Therefore, 
if h(xi) ^ e, x' , As' H C if an d only if x, A/j SE , |= T(J;). We use this equivalence to 
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prove the induction's basis. Because all atomic propositions of 77 are in the scope 
of the only temporal operator, we need not prove the induction's basis for boolean 
connectives. 

T] = {g)U(Q: x',As' |= (£)W(C) ^ and OIU y if there exists i G IV such that 
x \i y As' |= C and x',j y As' |= for all j < i. This is equivalent to the existence 
of a k G IV such that Xtk...) i A/i SE , |= T(C) and X(/...), Ah EE , |= T(£), for all / < k 
such that /i(x/) ^ e. Thus, a;', As' |= (£)U(() if and only if x,Xh ss , \= ((e) V 
(T(0))W(T(0). 

rj = (£) $ (£): a;', As/ |= (0 B (£) if and only if there exists no i £ W such that 
x (j ))As' |= C or there exists an i 6 IV and a j < i such that x'^ j,As' |= C) 
x'q- \ 5 As' |= £, and, for all k < i, x'^ ), As' ^ C- This is equivalent to: There exists 
no I G IV such that Xa...), A/i ss , (= T(0, or there exists anlsW and an m < Z such 
that Aft. ss/ |= T(C), x (m ...), A /lss , |= T(0, and, for all n < I, x [n ,,,yX h ^ T(0- 

Therefore, x' , Ajy |= (0 B (C) if and only if x, X h ^, |= (T(0) B (T(0). 

?7 = 0(0: x', As' |= O(^) if and only if there exists i G IV such that x'^- n,As' |= 
This is equivalent to the existence of j G IV such that xy \, A^ ES , |= T(0- Hence, 
a 7 , A S < h O(0 if and only if x, X hss , \= O(T(0). 

?? = D(Q: x',A E ' h D (£) if and only if x' (i } ,A E , |= £, for all i G IV. This is 
equivalent to: For all j € IN with h(xj) / £ we have x^ ), A^ EE , |= T(^). Since 
/i(x) = x' there are infinitely many different j € IN with h(xj) ^ e and consequently 
x', A s - h °(0 if and only if x, A^ s , |= D((e) V (T(£))). 

= 0(0 = x', As' 1=0(0 if and only if a^ 2 ^, As' h= Equivalently, there exists a 
j G IV and a, k < j such that xy...), A^ ES , |= T(0> ^O^fe) 7^ £ j and /i(x/) = e, for all 
Z < j such that Z 7^ k. So x',A S ' h if and only if x, A/, EE , |= (e)W((-i(e)) A 
(O((e)W(T(0)))). 

This last step finishes the proof of the induction's basis. In the inductive step, 
the proper subformulas of 77 need not necessarily satisfy the preconditions of the 
lemma, because they can contain atomic propositions that are not in the scope of 
a temporal operator (of the subformula). Hence, in general, a subformula £ of 77 is 
the boolean combination of boolean formulas and purely temporal formulas £t . 
By induction, we have x',Ajy |= £t if and only if x, A^ , |= T(£t). According to 
Lemma 7.6, x', As' |= £b if and only if x, A/, |= (s)U (iV(£f,)). Thus x', A^y |= £fc 



if and only if x, A^ ES , (= (e) W (T(£f,)), because T(^) = AT (£;,). Hence, if h(x±) ^ e, 
then x', As' |= £b if and only if x, Ah EE , |= Therefore, for all subformulas £ 

of 77, we have: if h(xi) ^ e, then x', As' |= £ if and only if x, A/, , |= T(0- We use 
this condition as our induction's hypothesis. 

r\ = (0^(0 : Because of the lemma's preconditions, £ and £ must be purely 
temporal subformulas of 77, for a binary boolean connective b. Then, by induc- 
tion and the semantics of boolean connectives, x',As' |= (0K0 if and only if 
x,X hss , h (T(O)S(T(O). 

77 = (0^(C): x',As' |= (0^ (0 if and only if there exists i G IV such that 
x (* |= C and, for all j < i, x'^ \,\s> |= By induction, this is equivalent 

to the existence of k G IV such that X( fe ) , A^ E , |= T(0, and, for all I < k we 
have xn ),A/j SE , |= T(0 ° r ^(x;) = e. Therefore, x',As' |= (0^(0 if and only if 
x,A, SE ,'h((e)V(T(0))W(T(0). 

ACM Transactions in Computational Logic, Vol. TBD, No. TBD, TBD TBD. 



Checking Properties within Fairness and Behavior Abstractions • 15 



1) = (£) B ((): x', As' |= (£) B (£) if and only if there exists no i £ IN such that 
x'u -),As' |= C or there exists an i £ IN and a j < i such that x'u yX^,' |= (,, 
x '(j )' ^ ^' anc ^ x> As' ^ £, f° r all k < i. By induction, this is equivalent to: 
There exists no I £ IN such that £(/...), A/j EE , |= r(£) or there exists an / £ W and an 
to < I such that £(;...), Ah EE , |= T(0, X( m ...yXh ss , (= T(£), and £(„...), A ?l ^ T(£), 
for all n<l. Therefore, x' , A E - \= (0 B (Q if and only if x, X hss , \= (T(0) B (T(Q). 

1) = 0(£): x', As' |= O(0 if and only if there exists i £ IN such that x', t yX^> |= £. 
By induction, this is equivalent to the existence of j £ IN such that Xij ), A/i SE , ^= 
T(0. Hence, x', A s , |= O(0 if and only if z, A hj3E , |= O(T(0). 

77 = □ (£):#', As' |= □ (£) if and only if x'^ y As' |= £, for all z £ IV. By induction, 
this is equivalent to: For all j £ IN such that ^ e, we have > Aa ES , |= 

T(£). Since ft,(ir) = x' , there are infinitely many different j £ IN such that h,(a;j) ^ e. 
Therefore x', A s < |= D(0 if and only if z, A hEE , |= n((e) V (T(£))). 

77 = 0(£): ^'j As' |= 0(£) if and only if a^ 2 v, Ajy |= £. Equivalently, by induction, 
there exists j £ IN and k < j such that 3Efj...), A^ , |= r(£), M- T fc) 7^ e > and 
/i(xz) = e, for all I < j such that I / fc. So, x', A^' |= 0(0 if and only if x, A/ lsE , |= 
( £ )W((.( £ ))A(O((e)W(T(0)))). □ 



PROOF of Lemma 7.5. Lemma 7.6 and Lemma 7.7 establish the result. □ 



8. PRESERVATION OF PROPERTIES SATISFIED WITHIN FAIRNESS 

Let L C E* be a prefix-closed language, let h : E°° — > be an abstraction 
homomorphism, and let ?y be a PLTL-formula in E'-normal form. Assume that rj 
is satisfied by lim(h(L)) within fairness; in our notation lim{h(L)), Axy ^= 77. We 
will prove that, if the homomorphism /i is weakly continuation-closed, then the 
property corresponding to r\ is also satisfied within fairness by lim(L), i.e. that 
lim(L), Xh ss ,\= L R(r]). To establish this result we need a condition that allows to 
commute Eilenberg-limit and homomorphism application. 

Lemma 8.1. // L CE* is a prefix-closed regular language and h : S°° — » is 
an abstraction homomorphism, then lim(h{L)) = h(lim(L)). 



Lemma 8.1 appears to be rather trivial. But, in fact, it neither holds for regular 
languages that are not prefix-closed nor for prefix-closed languages that are not 
regular. The languages a* ■ b and pre({b z ■ a 1 \ i £ IN}) reveal this observation for 
the homomorphism defined by h(a) — a and h(b) — e. To prove the lemma, we use 



Konig's Lemma in a suitable version ([Hoogeboom and Rozenberg 1986], Lemma 
3.3.): 

Lemma 8.2 Konig's Lemma. Let 11 C Ex E be a relation — E is an arbitrary 
set — and let, for all n £ IN , E n be a finite nonempty subset of E such that 
UnglV E n is infinite and to each e £ E n+ \ there exists an f £ E n such that 
(/, e) £ 1Z. Then there exists an infinite sequence (e n ) ng ^y in E such that e n £ E n 
and (e„, e„+i) £ 1Z for all n £ IN . 



Proof of Lemma |8.l| . a lim{h{L)) C h(lim(L))'" : We assume lim(h(L)) ^ 
(otherwise the condition holds trivially). 
If x is an w-word in lim(h(L)), then pre(x) C h(L) (remember that L and 
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therefore h(L) are prefix-closed). Let w n be the prefix of x of length (w n ) n jy 
is then the sequence of all prefixes of x and thus generates x as its limit. 

To each of the w n we construct a set U n of minimal inverse images of w n . Let 
U n be the set of all words u in h^ 1 (w n ) n L, such that there is no shorter word v 
in h^ 1 (w n ) fl L with cont(u, L) = cont(v, L). We define 

J7„ = {u£ h~ 1 (w n ) n L I fiv G h~ 1 (w n ) CiL :\u\> \v\ A cont(u, L) = cont(v, L)}. 

Because all w n are in h(L) there must be a u G L such that /i(it) = to" to each 
w n . Consequently, U n is not empty, for all n G .2V. 

Let it G U n . For all v £ U n such that cont(u,L) = cont(v,L), we have |u| = |u 
by definition of U n . Because the set {cont(t,L) | t G £*} is finite (its cardinality 
corresponds to the number of states in the minimal automaton accepting L), we 
obtain: U n is a finite set, for all n G -2V. 

Because U n n f/ m = if n ^ m and all U n are nonempty sets, we observe that 

UneiV ^ n ^ s an mnm te set. 

By -i, we denote the proper prefix relation; i.e. for all u, v G S*, u -< w if and 
only if u ^ u and u G pre(v). We show: For all n G JSV and all v G f/n+ij there 
exists a word it G U n such that u -< v. Let t; be in C7 n +i and let u be in pre(v) 
such that = Hence w -< v. Because L is prefix-closed, u is in i and thus 
u G /i _1 (ui") fl i. The remainder of v after m we call v'; i.e. w = itu'. We assume 
that u is not in U n and show a contradiction. 

If it ^ [/„, then there must be a word v! G h~ 1 {w n ) fl i such that < |u| 
and cont(u,L) — cont(u',L). Because u' is in h^ 1 (w n ) fl L, we have h(u'v') — 
w n+1 . Because cont(u,L) = cont(u' , L), we obtain u'v' G £ and cont(v,L) = 
cont((u'v'), L). So u'v' is in /i~ 1 (u; n+:L )nL, cont((u'v'), L) — cont(v, L) and \u'v'\ < 
\v\. Therefore v U n +i, which contradicts the choice of v. 

Hence all preconditions to apply Konig's Lemma are satisfied by the sets U n , 
n G IN, and thus there exists an infinite sequence (u") ng ^y of words in L such that 
u n G U n and u n -< u n+1 , for all n G IN. The sequence (u ra ) ng ^y uniquely generates 
some y G lim(L) and, because h(u n ) = w n , for all n G W, we obtain h(y) = x. 
So, for all x G lim(h(L)), there exists a ?/ G lim(L) such that a; = Thus 
lim(h{L)) C h(lim{L)). 

"h(lim(L)) C lim(h(L))": Let h(lim(L)) ^ 0. Let sc be in lim(L), such that 
is defined. Because L is prefix-closed, all u G pre(x) are in L. So, for all 
w G pre(x), h(u) is in pre(h(x)) . Because /i(x) is defined, there arc infinitely many 
different h(u) in pre(h(x)) , for it G pre(x) C L. Thus /i(x) is in lim(h(L)), and we 
obtain h(lim(L)) C lim(h(L)). □ 



Using Lemma 8.1, we can now prove a result relating a property satisfied within 



fairness by lim{h{L)) to a property satisfied within fairness by lim(L). 

Theorem 8.3. LetL C E* 6e a prefix-closed regular language, leth : E°° — > E /oc 
be an abstraction homomorphism such that h is weakly continuation- closed on L 
and h(L) does not contain maximal wordsn, and let ij be a PLTL-formula in £'- 



lr The notation w n should not be confused with the nth power of w (n is just an index). 
2 Maximal words in h(L) are words that are not a proper prefix of another word in h(L). We will 
lift the restriction to maximal-word-free abstractions in the next section. 
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normalform. Then 

lim(h(L)),Xs>\^ L r] if and only if lim(L), \h SI ,,{^ L R(r)). 



This theo rem is will be a consequence of the following two lemmas (Lemma 3.4 



and Lemma 8.5 ) 



Lemma 8.4. Let LCE* be a prefix-closed regular language, let h : S°° — > E'°° 
be an abstraction homomorphism such that h is weakly continuation- closed on L and 
h(L) does not contain maximal words, and let r\ be a PLTL-formula in £' -normal 
form. We have that 

lim{h{L)),\v\=- L ri implies lim(L), X hss ,\= L R(r)). 

Proof. We assume that lim(h(L)), \ s ,\=^ri and derive lim(L), Xh ss ,\^ L R(r]). 
By definition lim(L), Xh ss , R(j]) if for ah u € L, there exists some x £ cont(u, lim(L)) 
such that ux, Xh ss , |= R{r])- Consider thus an arbitrary u £ L. Because h is weakly 
continuation-closed on L, there exists v £ cont(h(u) , h(L)) such that 

cont(v,h(cont(u, L))) = 
cont(v , cont(h(u) , h{L))) = (1) 
cont{h(u)v, h(L)). 

As lim(h(L)),X^/\=^r), we get Vr £ pre{lim(h(L))) : 3s £ cont(r,lim(h(L))) : 
rs, Ae' |= ry, and in particular, by substituting h{u)v for r, there exists some y £ 
cont(h(u)v,lim(h(L))) = lim(cont(h(u)v , h(L))) such that 

h{u)vy,\v\=Ti- (2) 
Given equation (Q) this is equivalent to 

y £ lim(cont(v, h(cont(u, L)))) = 

cont(v, lim(h(cont(u, £))))■ 
Thus we know that vy is in lim(h(cont(u, L))), which, in view of Lemma |S.l|, is 



equivalent to 

vy £ h(lim(cont(u, L))). 
So, there exists x £ lim(cont(u, L)) such that 

h{x) = vy. (3) 

Viewing vy as a single word z, we have shown that for all u £ L, there exists 
x £ lim(cont(u, L)) and z £ cont(h(u) , lim(h(L))) such that = z (because of 
equation (j|)) and h(u)z,X^' \= r\ (because of equation (||)). 

Consider now the language L = pre(ux) of prefixes of ux. Clearly, lim(L) = {ux} 
and lim(h(L)) = {h(u)z}. 

Because h(u)z, A^/ |= r\, we have lim(h{L)), Ajy |= r\. Using Lemma [7J5] and given 
that lim(L) C h^ 1 (lim(h(L) j) , we obtain lim(L) , Ah EE , |= -R(^), or mi, A/j EE , f= 
i?(?7). We have thus shown that for all u £ L, there exists ir £ cont(u, lim(L)), such 
that ux, A/, , 1= -R(tj). Hence we have shown that lim(L), A/, |= R(n) □ 
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As discussed in Section |^ using an example, Lemma 8.4 does not hold, if we do 
not require the abstraction homomorphism to be weakly continuation-closed. 

Lemma 8.5. Let LCE* be a prefix-closed regular language. Let h : E°° — > E'°° 
be an abstraction homomorphism such that h(L) does not contain maximal words. 
Let n be a PLTL-formula in E' -normalform. Then 

lim(L),\h ss ,\^ L R(r}) implies lim(h(L)), X&^r). 

Proof. We assume that lim(L), Xh ss , ^ R(n) and show that lim(h(L)), As' |=. n. 
Let w' G pre(lim(h(L))) , let w G pre{lim{L))f]h~ 1 {w'), and let x G cont(w, lim(L)) 
such that wx,Xh sj: , |= R{n). 

If h(wx) is defined, then, by Lemma |7.5| , h(wx), As' (= f7- Therefore, there exists 
an x' = h[x) G cont{w' , lim(h(L))) such that u/x', As' |= r/. 

If h(wx) is undefined, then there is a prefix v of tra such that h(cont(v,pre(wx))) = 
{e}. (In fact, there are infinitely many of these prefixes v.) Then, by definition of 
R and Xh ss , , we have, for all y G E w , that uy, A^ EE , |= J?(??). 

If there exists y G such that h(y) G cont(h(v),lim(h(L))), then let x' be the 
only w-word in cont(w' , a;' is in cont(w / ,lim(h(L))). So by Lemma |7.5| , 

w'x', A s - |= 77. 

If there exists no y G such that G cont(h(v) , lim(h(L))) , then /i(L) 

contains maximal words, which contradicts the theorem's preconditions. 

So, for all w' G pre(lim(h(L))), there exists an x' G cont(w' , lim(h(L))) such 
that w'x', As' |= f]- Thus lim(h(L)), As' |= 77 ■ □ 



We discuss in the next section how we can extend Theorem 8.3 to deal with 
maximal words. 



9. IMPROVING THE RESULTS 

If a language LCE* contains maximal words, i.e. words that have no continuation 
in L, then lim(L) contains no information about them: if w is a maximal word 
in L, then w G" pre(lim(L)) . To avoid this loss of information we extend maximal 
words by dummy- letters. Formally, we define satisfaction within fairness on L itself 
instead of lim(L). 

Definition 9.1. Let LCE*. Let # ^ E. We define the set of maximal words of 
L by max(L) = {w € L \ cont(w,L) = {s}}. We define the extension of L to be 
xtd(L) = L U max(L) ■ {#}*. 

If L is a regular language, then the construction of an automaton accepting 
xtd(L) is easy: for all accepting states in a reduced deterministic automaton for 
L that have no outgoing transition, add a self-loop labelled with # to that state. 
Then the resulting automaton accepts xtd(L). 

Definition 9.2. Let L C E*, let 77 be a PLTL-formula, and let A : E -> 2 AP 
be a labelling function. L satisfies rj within fairness with respect to A (written: 
U L,X\= rf ) if and only if lim(xtd(L)), X\= 77. 



Definition 9.3. Let E be an alphabet. A PLTL-formula is in extended E-normal 
form if and only if it is in positive normal form (Definition 7.1), E U {e} is its set 
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of atomic propositions, and it contains the atomic proposition e only in the form 
□ (e) ("all actions are hidden by the abstraction"). 

Definition 9.4. Let A : E — > 2 AP be a labelling function for an alphabet E and 
a set of atomic propositions AP. 

We define the e-extension of A to be the function A e : E U {#} — * 2' 4Pu ^ e ^ such 
that A £ (a) = A(a), for all a <E E, and A £ (#) = {e}. 

We define the #-extension of A to be the function A # : EU {#} -> 2 APu ^ such 
that \*{a) = X(a), for all a £ E, and A # (#) = {#}. 

Theorem 9.5. Let h : E°° — > E'°° &e a weakly continuation-closed homomor- 
phism on the prefix-closed regular language L C E* . Let n be a PLTL-formula in 
extended E' -normalform. Then 

L , ^h\^ L R (V) if and only if h(L), A|, |= r?. 

Proof. Let the extension of L with respect to empty abstract suffixes be the 
language xtd h (L) = L U {w G L h(cont(w,L)) = {e}} ■ {#}*. 

Let h' : (EUj^}) 00 — * (E / U{#})°° be the abstraction homomorphism defined by 
h'(a) — h(a), for all a G E, and = Because ft, is weakly continuation-closed 

on L, h' is weakly continuation-closed on xtdh(L) and h'(xtdh(L)) — xtd(h(L)). 
The latter equality holds, because h being weakly continuation-closed on L implies 
for all w 6 L, cont(h(w) , h(L)) — {e} if h(cont(w, L)) — {e} [ Ochsenschlager 1992| ]. 



Because h' (xtdh(L)) — xtd(h(L)), h' (xtdh(L)) does not contain maximal words. 

Let rj be the PLTL-formula that we obtain by replacing the atomic proposition 
e in 77 by a new atomic proposition We have 

— lim(h' (xtdh(L))), Af;/|= 77 if and only if lim(h' (xtdh(L))), \%\= L r]' , 

— lim(xtd(L)), Xf}= R(rf) if and only if lim(xtdh(L)) , Xf\^ L R(i]'), and 

— lim(xtdh{L)),Xf^\= L R(ri') if and only if lim(xtdh(L)) , Xh'\= L R(r)')^ 

Additionally, by Theorem |3.3| , we have that lim(h'(xtdh(L))), A^t |= ff if and only 
if lim(xtdh(L)), Xh' \= R(v')- According to the above established equivalences and 
h'{xtdh{L)) — xtd(h(L)), we finally obtain L, Xf}= R(rj) if and only if h(L),X^,\= L rj, □ 

If the above result is not restricted to PLTL properties but extended to all possible 
w-languages as properties, one can also show that weak continuation-closure of 
a homomorphism is not only a sufficient but also a necessary condition for an 



abstraction to preserve properties satisfied within fairness [Nitsche 1998t; Nfitsche 



and Ochsenschlager 1996 1 



10. CONCLUSION 

We have introduced satisfaction within fairness as a satisfaction relation with an 
inherent abstract notion of fairness. It is defined in terms of relative liveness proper- 



ties Alur and Hcnzingcr 1995; 


Hcnzinger 1992], lifted from a property classification 


to a satisfaction relation 


Nitsche and Ochsenschlager 1996; 


Nitsche and Wolpcr 



1997]. Besides exploring the basic properties of the relation — including exploring 
its dual, relative safety — we have motivated its definition by considering a small 
but typical introductory example of a distributed system. 
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We have established the link from satisfaction within fairness to the usual satis- 
faction of linear-time properties under fairness by showing that, to a regular system 
behavior satisfying a linear-time property within fairness, a finite-state implemen- 
tation can always be found that satisfies the property under strong fairness. As the 
this finite-state implementation is usually significantly bigger (many more states) 
than the most compact finite-state implementation of the behavior, satisfaction 
within fairness offers a way of dealing with linear-time satisfaction under fairness 
uisng more compact behavior representations. 

Since, however, state-spaces of realistic systems are far too large to effectively 
be constructed, we have looked at behavior abstractions to decrease the size of the 
state space. Behavior abstraction is, compared to abstract interpretation, a rela- 
tively primitive but by that easy-to-apply approach to tackle state-space explosion. 
The two concepts in behavior abstractions are action renaming and hiding. These 
concepts can be defined in terms of language homomorphisms extended to operate 
on w-languages. In particular action renaming alters patterns of events in computa- 
tions of a system. To handle these alterations on the level of linear-time temporal 
logic model-checking, we use a syntactic transformation of PLTL- formulas. We 
show that an abstract computation of the system satisfies a PLTL-formula if and 
only if the concrete computation that results in the abstract one satisfies the syn- 
tacticly transformed formula. 

As discussed in the context of the motivating example mentioned above, it turns 
out that behaviors abstractions are in general too imprecise to preserve properties 
satisfied within fairness. Here, preservation refers to a property being true on the 
abstract level implying a corresponding property (the syntacticly transformed one) 
being true on the concrete level. Elaborating on this we give a condition for abstrac- 
tion homomorphisms that guarantees the preservation of properties satisfied within 
fairness by the abstraction. The condition that abstraction homomorphisms must 



satisfy is weak continuation- closure Ochsenschlager 1992]. The initial preservation 



result we establish for weakly continuation-closed abstractions and properties sat- 
isfied within fairness only holds for behaviors in which no computation is finite (no 
maximal words in the language representing the behavior) . We have extended the 
result to capture also behaviors that contain terminating computations. 



For practical purposes |Nitschc 1998a |, it is essential to be able to obtain a repre- 



sentation of the abstract behavior of a system without an exhaustive construction of 
the concrete one. It appears promising to tackle this problem by applying partial- 
order reduction. The aim is to construct a (partial-order) reduced state-space that 
results in the same abstract state-space as the concrete state-space would. In addi- 
tion, it must be possible to check weak continuation-closure of the abstraction on 
the concrete state-space by only considering the partial-order reduced one. A first 



major result in that direction is presented in [Ultes-Nitsche and St James 200C] 



where the persistent-set selective search [Godefroid and Wolper 1993; Wolper and 



Godefroid 1993] partial-order technique is applied in the context of the abstractions 



presented in this paper. The efficient construction of abstract state spaces beyond 



[ Ultes-Nitsche and St James 200C ] as well as efficiently checking weak continuation- 



closure will be topics for further study. 
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